Security
This section describes how to configure Brekeke SIP Server security features. These features can protect your service against attacks or unauthorized use.
Administration Tool
To avoid a takeover of the server, please change the password for Administration Tool at [Configuration] > [Password] page. Its default password is “sa”.
SIP Authentication
There are two ways to enable SIP Authentication. One is for the entire server. Another is for certain SIP requests.To use SIP Authentication, an administrator needs to add users in the [User Authentication] page. Please refer to the section “Set up SIP-UA” for more details
SIP Authentication for all INVITE/REGISTER requests
Please enable SIP Authentication at the [Configuration] > [SIP] page. This setting affects all of INVITE / REGISTER requests.
| Item | Setting Value | Explanation |
| REGISTER | on | Authenticates REGISTER requests. |
| INVITE | on | Authenticates INVITE requests. |
SIP Authentication for certain requests
The server can authenticate a certain SIP request by using $auth variable in the Dial Plan.
The $auth variable determines whether to authenticate the matched request or not. If the value is “true”, the server authenticates the request. If the value is “false”, the server does not authenticate the request.
Example-1: Authenticate SUBSCRIBE requests.
| Matching Patterns | Deploy Patterns |
| $request = ^SUBSCRIBE | $auth = true
$continue = true |
At [Configuration] > [SIP] page, there is also authentication setting for MESSAGE and SUBSCRIBE requests.
Example-2: Don’t authenticate INVITE requests if it comes from 192.168.0.x.
| Matching Patterns | Deploy Patterns |
| $request = ^INVITE
$addr = ^192.168.0 |
$auth = false
$continue = true |
Block a non-registered user’s INVITE request
To block non- registered users, the following sample Dial Plan rules will help you.
Example-1: If a client is not registered in the server, its INVITE request will be rejected with “403 Forbidden” response.
| Matching Patterns | Deploy Patterns |
| $request = ^INVITE
$registeredSender = false |
$action = 403 |
Example-2: If a client’s registered IP address and port do not match with request’s remote IP address and port, the request will be rejected with “403 Forbidden” response.
| Matching Patterns | Deploy Patterns |
| $request = ^INVITE
$addrport = (.+) $regAddr(From) =! %1 |
$action = 403 |
Block Malicious Activities with Block List
From Brekeke SIP Server v3.2, Block List feature can be used to define filter policy and block policy to detect malicious activities by the frequency of SIP attempts and add the source IP of these suspicious attempts to blocked IP database. Also, with block action preliminary dial plan rules, Brekeke SIP Server can block malicious activities by checking SIP headers and also add their source IP to blocked IP database.